Re: Detecting Blaster

From: James Riden (j.riden_at_massey.ac.nz)
Date: 08/14/03

  • Next message: Bryan Schlegel: "RE: Detecting Blaster" 
    To: "Bob Sadler" <bobs@LEAWOOD.ORG>
Date: Fri, 15 Aug 2003 08:33:01 +1200

    "Bob Sadler" <bobs@LEAWOOD.ORG> writes:

    > I have been trying to figure out if there is a way that I can detect
    > signs of Blaster on a large number of machines on a network without
    > having to actually visit each one.
    >
    > I have a port scanner (Ethereal) and have it setup to look at any frame
    > with destination port 135. Is there a better way to do this, or is the
    > way I'm trying to do this all wrong in the first place?

    Scanning through port 135, incrementing the IP address by one each
    time is pretty typical for this worm. But I'd use e.g. snort's
    portscan detection to pull out the portscans and then do some analysis
    with a perl script.

    There's a lot of traffic out there and you don't want to be looking at
    it by hand.

    cheers,
     Jamie 

    -- 
James Riden / j.riden@massey.ac.nz / Systems Programmer - Security
GPG public key available at: http://www.massey.ac.nz/~jriden/
This post does not necessarily represent the views of my employer.
---------------------------------------------------------------------------
Your network firewall and IDS products do not prevent Web application 
attacks - the most common form of online exploitation- resulting in Web 
defacement, data theft, sabotage and fraud.
KaVaDo is the only company that provides a complete suite of Web 
application security products.
Download a FREE whitepaper on "Security Policy Automation for Web
Applications":http://www.securityfocus.com/Kavado-focus-ms
---------------------------------------------------------------------------
  • Next message: Bryan Schlegel: "RE: Detecting Blaster"

    Relevant Pages

    • RE: Detecting Blaster
      ... I have a port scanner and have it setup to look at any frame ... Your network firewall and IDS products do not prevent Web application ... Download a FREE whitepaper on "Security Policy Automation for Web ...
      (Focus-Microsoft)
    • RE: Printing from Win9x clients stops
      ... > and make sure this software does not interfere with SBS Server. ... > clients, please disable it and try again. ... Create a local printer and redirect the port to the network server. ...
      (microsoft.public.windows.server.sbs)
    • RE: SBS 2003, ISA 2004
      ... ISA and IIS try listening on these two ports. ... by default the Web Proxy is listening on port 8080 ... of the local network adapter. ... Microsoft CSS Online Newsgroup Support ...
      (microsoft.public.windows.server.sbs)
    • Re: ERS 8600, simple setup, IP, VLANs, etc.
      ... management port is just used to hang an IP address to. ... associated with an interface, such as a VLAN. ... fairly functionally homogenous network), but something that is ... or OS virtuallization - except that networks have been doing this kind of ...
      (comp.dcom.sys.nortel)
    • network slowness/freez-up since update 10/11
      ... network problems: first the network is slow (even within a few ... network - but not the rest of the system - just locks up (can't ping ... OHCI version 1.0, legacy support ... <Parallel port bus> on ppc0 ...
      (freebsd-current)